In this AFRL-funded project, Galois developed TrackOS, a real-time operating system (RTOS) that provides a new technique for detecting malware on real-time embedded systems.
Instead of altering behavior of monitored software, TrackOS creates a separate task, which runs in the “slack time” of the real time system. Using static analysis of the unmodified binaries, this monitor task is able to determine what well-behaved tasks look like and to unobtrusively check that the critical tasks on the system are all well behaved. If any tasks appear to be hijacked, the monitor task can notify a policy manager, which can perform appropriate remediations.
We have prototyped TrackOS and applied its analysis to an autopilot software system. In our demo on a remote-controlled helicopter, the policy manager performs an “auto-land” operation.